Hacking by the Books: Barnes & Noble PIN Pads Bugged

Despite increased security awareness, techniques and technologies, retail hacking remains a threat. This week, Barnes & Noble revealed that some of its customers were victimized by a PIN pad data heist. Now the company has to redouble its security efforts and figure out how to rebuild customer confidence.

Barnes & Noble revealed this week that PIN pad devices at 63 of its stores nationwide were hacked, putting some of its customers at risk. The company discovered the hacking in September, and for the past month, the FBI has been investigating the case.

Fewer than 1 percent of Barnes & Noble PIN pads reportedly were affected, but customers who swiped their credit and debit cards on those machines could have had important personal data -- including card and PIN numbers -- stolen.

In response, the chain has ceased using all PIN pads in its stores, and it has identified the affected locations in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania and Rhode Island.

The company is not providing any information or comment beyond its disclosure of basic facts about the hacking.

"We're not commenting because of the FBI investigation that's ongoing," Mary Ellen Keating, Barnes & Noble's senior vice president with corporate communications and public affairs, told the E-Commerce Times.

Old Technology or Sophisticated Criminals?

One factor that could make retailers more vulnerable to attacks like this could be the use of outdated equipment.

"If these [PIN pads] were older, they might not have all possible security features," information security consultant and cofounder of
NetSPI Seth Peter told the E-Commerce Times. "I wonder if they were using technology that was tamper-proof. It comes down to the age of these devices."

Given the nature of the breach and the access to the PIN pads it required, this could have been an inside job -- at least in part.

"You can't discount the possibility that there was some insider collusion," said Peter.

Yet the case does appear to have the hallmarks of a sophisticated criminal effort.

"Retailers in general are being targeted by elite hacker crews," Tom Kellermann, vice president of cybersecurity with
Trend Micro, told the E-Commerce Times. "This has grown dramatically over the last few years."

A breach like this highlights the need for multiple layers of security, according to Kellermann. In other words, encrypting data is no longer enough.

"Stores are over-reliant on encryption, but hackers can get underneath that encryption by leveraging targeted attacks against the terminals themselves or the networks of the stores themselves," said Kellermann.

"Encryption is important, but with the blended attacks being brought by organized crime, you have to implement layered security and custom defenses," he said. "We have to move away from encryption-overreliance to custom defense."

Securing Confidence

The main task for Barnes & Noble going forward will be to gain back the confidence of its customers. The chain has recommended that customers who shopped at the affected stores check their statements for unauthorized charges, change their PIN numbers, and take other precautionary measures.

Since federal authorities and financial institutions are working with the company to investigate the breach, and the retailer is swiping credit and debit cards directly at registers and not at PIN pads, consumers can probably rest assured that their data is relatively safe.

"The experts at the FBI are narrowing down their exposure, so I would feel comfortable with doing transactions at Barnes & Noble," said Kellermann. "I would go to [there] to purchase something today."

It's not easy to restore a sense of security once it's been lost, however, and regaining consumer trust will take some time and effort.

"They talk about how they've removed devices, [and how] they've taken a corrective course of action, which should be adequate," said Peter.

However, "that doesn't tell us how that breach happened, and if there are other possible breaches," he pointed out. "Until the known source of the breach is determined, Barnes & Noble should announce some of the things that they've done to increase consumer confidence."